[BreachExchange] Federal District Court Dismisses Data Breach Class Action Complaint Against Scottrade

[Audrey McNeil]

http://www.jdsupra.com/legalnews/federal-district-court-dismisses-data-73481/

On July 12, 2016, the United States District Court for the Eastern District
of Missouri granted Scottrade’s motion to dismiss a putative class action
complaint that was predicated on the alleged theft of personal information
from Scottrade.

Based on the allegations in the complaint, Scottrade sells brokerage,
banking, and retirement planning services.  When a customer opens an
account with Scottrade, the customer must give the firm various types of
personal information.  Between September 2013 and February 2014, hackers
accessed Scottrade’s customer databases and downloaded the personal
information of approximately 4.6 million customers.  Scottrade did not know
about the incident until August 2015, when the FBI contacted Scottrade
about it.  In October 2015, Scottrade started to notify customers about the
incident.  The firm also offered to provide a year of credit monitoring and
identity theft insurance.

After Scottrade publicly announced the incident, multiple customers filed
putative class action lawsuits.  Eventually, the various suits were
consolidated in the United States District Court for the Eastern District
of Missouri.  The plaintiffs’ consolidated complaint alleged multiple
causes of action, including breach of contract, breach of implied contract,
negligence, and violations of various state consumer protection statutes.

To satisfy the United States Constitution’s jurisdictional case or
controversy requirement, plaintiffs must establish that they have standing
to sue.  This requires a statement of sufficient facts at the pleadings
stage to show that plaintiffs “(1) suffered an injury in facts, (2) that is
fairly traceable to the challenged conduct of the defendant, and (3) that
is likely to be redressed by a favorable judicial decision.”  An injury in
fact is “an invasion of a legally protected interest” that is (1) “concrete
and particularized” and (2) “actual or imminent, not conjectural or
hypothetical.”  Scottrade contended that the plaintiffs lacked standing
because they had not suffered an injury in fact.  The plaintiffs alleged
that they had suffered a variety of injuries, but the court rejected each
one as a basis for standing.

First, the plaintiffs alleged that they had an increased risk of identity
theft and identity fraud.  The court concluded that these “increased risks”
were not “actual” or “imminent” because the plaintiffs did not allege that
anyone had used or intended to use their stolen personal information to
commit identity theft, identity fraud, or any other conduct that had harmed
them or would harm them.  Additionally, the court noted that two years had
passed since the incident and the plaintiffs had not alleged that a single
instance of identity theft or identity fraud had occurred.

Second, the plaintiffs alleged that they had suffered the financial or
temporal cost of monitoring their credit, monitoring their financial
accounts, and mitigating their damages.  The Court noted that, in data
breach cases, the cost of mitigating the risk of future injury cannot be an
injury in fact unless the future injury being mitigated against is
imminent.  The Court, however, had already determined that the future
injuries being mitigated against—identity theft and identity fraud—were not
imminent.  Given the lack of an imminent future injury to mitigate against,
the Court concluded these alleged facts did not satisfy the injury in fact
requirement.

Third, the plaintiffs alleged that they did not receive the full benefit of
their bargain with Scottrade because the brokerage and financial services
that they had received were less valuable than the ones that they thought
they had purchased.  Fourth, the plaintiffs alleged that the data breach
deprived them of the value of their personal information.  Specifically,
the plaintiffs alleged that, after the data breach, their information
became less valuable—especially to them—because they were no longer the
only people able to monetize the information.  The Court rejected the
plaintiffs’ third and fourth alleged injuries because the plaintiffs had
not alleged facts that could sufficiently support them.

Finally, the plaintiffs alleged that the data breach caused an invasion of
their privacy and a breach of the confidentiality of their personal
information.  The Court, however, concluded that the plaintiffs had not
alleged any facts that demonstrated that the alleged invasion of privacy or
breach of confidentiality used any damages or injury.

A copy of the Scottrade decision is available by clicking here (
https://kslawemail.com/84/1157/uploads/duqum-v--79---memorandum-and-order-granting-scottrade-s-....pdf).


In a different data breach putative class action lawsuit, a Wendy’s
customer alleged that the company had failed to adequately safeguard the
financial information of customers.  On July 15, 2016, the United State
District Court for the Middle District of Florida granted Wendy’s motion to
dismiss the class action complaint because the plaintiff had failed to
satisfy the injury in fact component of the Constitution’s standing
requirement.  The Court, however, gave the plaintiff the opportunity to
file an amended class action complaint to cure the deficiencies in the
class action complaint that the Court dismissed.

A copy of the Wendy’s decision is available by clicking here (
https://kslawemail.com/84/1157/uploads/torres-v--70---order-granting-wendy-s-motion-to-dismiss-....pdf
).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160726/b5442c5e/attachment.html>